Breach Report: PROFILING MAGECART eCommerce Scraping Attacks

Recent payment scraping attacks have been plaguing online retailers against such high profile companies such as Ticketmaster, British Airways, ABS-CBN, and Newegg. Given the similarities of the methods employed in these attacks, they are being linked to a threat dubbed ‘Magecart.’ The report focuses on the tactics, techniques, and procedures (TTP) identified in these campaigns that suggest multiple threat actors are directing these attacks. Because of the success of these attacks, logically we can expect an increase in the number of attacks and targets, especially towards the holiday season.

The Threat Anatomy

Cybercriminals are inserting malicious scripts into the online shopping process. These scripts are being inserted into pages related to the ‘cart,’ ‘checkout’ or ‘payment’ process and we’ve found some scripts seem to be injected, while some have been appended to existing legitimate scripts.

Based on the payloads analyzed, threat actors must do some level of reconnaissance to customize the scraper for each targeted retailer. This allows the threat actor to potentially deploy the script in an automated fashion to provide a convenient and fast approach to exploit a common vulnerability shared by multiple retailers.

When the scraper detects the checkout page, the customer’s personal information and payment details are gathered and prepared to be transmitted to the C2 server. The breach report details the three-step process used in an actual attack, which includes compiling the data using JSON, the data is then Base-64 encoded, then characters within the Base-64 encoded data are replaced with non-Base-64 characters to thwart causal analysis.

The Magento Attraction

With this type of attack, any online retailer is fair game. But in the case of the files analyzed, the Magento eCommerce Platform is certainly a targeted platform.

However, it is important to note that similar traits of the attacks affecting Magento are generally attributed to the same group of threat actors that attacked Ticketmaster and British Airways who use other eCommerce platforms.

Magento, an Adobe company, is a very popular eCommerce platform with a market share in the range of 14 – 30%. Version 1 of Magneto was originally released in 2008 with official support ending in 2020, and version 2 was released in 2015 as a complete rebuild which prevents upgrades from v1 to v2. Approximately 24% of retail sites using Magento have been identified as using v1, 29% as using v2, and 45% as unidentifiable.

Although evidence doesn’t point to specific versions, the use of legacy versions generally exposes a site to increased vulnerability and risk. The breach report details some features of Magento that could present avenues for possible attacks.

The Tale of the TTP

The analysis of the ABN-CBN breach identified a distinct set of TTP, which helped in the discovery of more C2 infrastructure as well as additional potential victims. This cluster of TTP tactics revealed six behaviors consistently observed in the C2 infrastructure and are detailed in the breach report.
The report also provides in-depth details about the threat actor TTP cluster.  

In the case of Newegg, the scraper was collecting data and sending it to the domain via SSL/TLS. The domain was registered just one day before the attack began with an IP address associated with a Magecart drop server for receiving scraped credit card data.

Targeted Online Retailers

At least 40 retailers, mostly in the U.S., Europe, and Australia, have been targeted by Magecart attacks. Many of these retailers are in the Fashion, and General Merchandise sectors, as well as six more sectors detailed in the report.

From the analysis following the ABN-CBN attack, the TTP threat actor cluster is focusing on targets using the Magento eCommerce Platform. Retailers using this platform, as a basic measure, should follow the recommendations from the Magento Security Center. Further security measures should be taken by Magento users and other eCommerce platforms.

While the report highlights larger online retailers, smaller retailers should be no less concerned as they are also a lucrative and relatively easy target for cyber criminals. Cyber criminals often prefer a steady income from a smaller online retailer than a substantial one time hit from a single large breach. It is fair to say that smaller online retailers tend to be less equipped and forearmed to protect themselves against a breach. If a large online  retailer that invests in cybersecurity and has systems and processes in place can go for several months (and years) without noticing a breach, what chance does a smaller, less cyber-mature retailer?

The immediate financial damage and implications are only one aspect that online retailers are concerned with. The enforcement of GDPR in the EU can be devastating to businesses large and small.

The breach report highlights four additional security actions and practices online retailers should follow to limit their exposure to attacks.

Be sure to read CyberInt’s breach report profiling the Magecart scraping attack for full details.

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start